Opening ports on your router is never safe ! There're alot of bots trying to bruteforce opening ports on the web (specially ssh port 22)
With SSH I would disable the password authentication a only used key based authentication. Also disable root access. (Don't know how it works with forgero though)
I would recommend something like wireguard, you still need to open a port on your router, but as long as they don't have your private key, they can't bruteforce it. (You can even share the wireguard tunnel with your friend :))
Also use a reverse proxy with your docker containers.
There are a lot of things you could do to secure everything, but If you relatively new to selfhosting, there's a steep learning curve and a lot of time needed to properly secure everthing up. You could be safe by doing nothing for a few months but as soon as someone got into your system, you're fucked !
But don't discourage yourself, selfhosting is fun !